General
-
Target
mal files.7z
-
Size
1.8MB
-
Sample
250129-jjm26sxpbq
-
MD5
3f001e30ee2d7db4b4fa1745284a7fe1
-
SHA1
ccaacb79d9a742814e8a62b8667648b0fc22dacc
-
SHA256
e838d4d743774a6a9162c0e7e46a0d917b0a46b4ef866b0b53f21f1baa7f235d
-
SHA512
6469c4ade92569fe2ebbf25bb05c1c2b8c5bc811031f85a7623280b1780e35a5ea7ea60886c051997da5f76bfe7dd76daf1adf524a6cdf944d936ecbf5231f5d
-
SSDEEP
49152:cztpMVqmif4g7cwWJRCgnXxjg2ufrgmOoyouzEeOvZbFG:cn8U4g7cJCShjg2ufUDFouzEe8bFG
Malware Config
Extracted
asyncrat
Default
62.60.190.196:3232
62.60.190.141:3232
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.60.190.196:4449
62.60.190.141:4056
xarthrbwxivaw
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
62.60.190.196:8000
3DLXwFK4fvjj0Qvr
-
install_file
USB.exe
Targets
-
-
Target
mal files.7z
-
Size
1.8MB
-
MD5
3f001e30ee2d7db4b4fa1745284a7fe1
-
SHA1
ccaacb79d9a742814e8a62b8667648b0fc22dacc
-
SHA256
e838d4d743774a6a9162c0e7e46a0d917b0a46b4ef866b0b53f21f1baa7f235d
-
SHA512
6469c4ade92569fe2ebbf25bb05c1c2b8c5bc811031f85a7623280b1780e35a5ea7ea60886c051997da5f76bfe7dd76daf1adf524a6cdf944d936ecbf5231f5d
-
SSDEEP
49152:cztpMVqmif4g7cwWJRCgnXxjg2ufrgmOoyouzEeOvZbFG:cn8U4g7cJCShjg2ufUDFouzEe8bFG
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1